Dev loop4: unable to read RDB block 1 loop4: unable to read partition table loop4: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop4 () failed (rc=-5) ================================================================== BUG: KASAN: slab-out-of-bounds in put_unaligned_be32 include/linux/unaligned/access_ok.h:60 [inline] BUG: KASAN: slab-out-of-bounds in sha1_base_finish include/crypto/sha1_base.h:102 [inline] BUG: KASAN: slab-out-of-bounds in sha1_final+0x283/0x2e0 crypto/sha1_generic.c:58 Write of size 4 at addr ffff8801b0970718 by task syz-executor0/12447 CPU: 0 PID: 12447 Comm: syz-executor0 Not tainted 4.18.0-rc2+ #118 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437 put_unaligned_be32 include/linux/unaligned/access_ok.h:60 [inline] sha1_base_finish include/crypto/sha1_base.h:102 [inline] sha1_final+0x283/0x2e0 crypto/sha1_generic.c:58 crypto_shash_final+0x104/0x260 crypto/shash.c:152 kdf_ctr security/keys/dh.c:186 [inline] keyctl_dh_compute_kdf security/keys/dh.c:217 [inline] __keyctl_dh_compute+0x1198/0x1be0 security/keys/dh.c:389 binder: 12451:12452 unknown command 32 keyctl_dh_compute+0xc5/0x11f security/keys/dh.c:425 __do_sys_keyctl security/keys/keyctl.c:1741 [inline] __se_sys_keyctl security/keys/keyctl.c:1637 [inline] __x64_sys_keyctl+0x12a/0x3b0 security/keys/keyctl.c:1637 binder: 12451:12452 ioctl c0306201 20000000 returned -22 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 binder: 12451:12452 got transaction to context manager from process owning it entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455a99 Code: 1d ba fb ff c3 66 binder: 12451:12452 transaction failed 29201/-22, size 0-0 line 2843 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9638cc2c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 00007f9638cc36d4 RCX: 0000000000455a99 binder: undelivered TRANSACTION_ERROR: 29201 RDX: 0000000020a53ffb RSI: 0000000020000200 RDI: 0000000000000017 RBP: 000000000072bea0 R08: 0000000020000140 R09: 0000000000000000 R10: 0000000000000286 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004bfd68 R14: 00000000004cefb8 R15: 0000000000000000 Allocated by task 12447: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x760 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] keyctl_dh_compute_kdf security/keys/dh.c:211 [inline] __keyctl_dh_compute+0x1000/0x1be0 security/keys/dh.c:389 keyctl_dh_compute+0xc5/0x11f security/keys/dh.c:425 __do_sys_keyctl security/keys/keyctl.c:1741 [inline] __se_sys_keyctl security/keys/keyctl.c:1637 [inline] __x64_sys_keyctl+0x12a/0x3b0 security/keys/keyctl.c:1637 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 839: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xd9/0x260 mm/slab.c:3813 qdisc_free+0x89/0x100 net/sched/sch_generic.c:941 qdisc_destroy+0x4a6/0x690 net/sched/sch_generic.c:977 shutdown_scheduler_queue net/sched/sch_generic.c:1273 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2057 [inline] dev_shutdown+0x1b0/0x5da net/sched/sch_generic.c:1279 rollback_registered_many+0x8f8/0xef0 net/core/dev.c:7465 unregister_netdevice_many+0xfb/0x4d0 net/core/dev.c:8577 default_device_exit_batch+0x459/0x560 net/core/dev.c:9043 ops_exit_list.isra.7+0x105/0x160 net/core/net_namespace.c:155 cleanup_net+0x537/0xb50 net/core/net_namespace.c:523 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at ffff8801b0970480 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 664 bytes inside of 1024-byte region [ffff8801b0970480, ffff8801b0970880) The buggy address belongs to the page: page:ffffea0006c25c00 count:1 mapcount:0 mapping:ffff8801da800ac0 index:0xffff8801b0971b00 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea00072a3508 ffffea0006c25508 ffff8801da800ac0 raw: ffff8801b0971b00 ffff8801b0970000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b0970600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801b0970680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801b0970700: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801b0970780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801b0970800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================